0x01 babyre

分析程序

输入的字符串经过3个3个的分解,例如flag分解为flalag,然后每组字符串经过sha256,再和原来未加密的字符串轮异或,例如,字符串fla经过sha256后生成的32字节的哈希值,每个字节和fla轮异或,得到的新的32字节的值。

源程序中有1280字节的密文,也就是40个上述的加密后的哈希值,分组爆破出3个3个的flag块,经过首尾相接后组成flag。

源程序中的40个加密后的哈希值经过随机打乱,不再是flalag…,的排列顺序,所以把flag块爆破出来后还需要一个脚本来拼接flag。

python脚本

爆破flag块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# 输入的字符串经过3个3个的分解,然后每组字符串经过sha256,再和原来未加密的字符串轮异或
import hashlib

enc_list = ['EB74464F7924C56210CBFFC5A239BE0399ED2C8FB9542BA7C58A7E560F352CA0',
            '3EE5E00A6EA938CF85F882C799D78BC682225428F4E556D047F15E5766855C04',
            '660DC72181954CF9976E5705CBAA483D2AAB5A69283D68E4F74C23CFA8C226D0',
            'F941E7F4FF9960F1DA677E9DBF9814B5B3E2D799074AC0120F212F3A52C37FE3',
            '35D56DB4BD214600049F7F950C01FABD8625065607304F17AEF3C0F0177F9B3E',
            'BDE5663346606CB307F1645F006DB088F34F7D44BE9543A1393B29506D1D3181',
            '4460FE7BAC48BDBB8E354128E7535CE73B1618C594D9D1B9BF7148A7D77077E9',
            'A7FFA0BE1CFA9800FE3364F9E7304557974045E0C950B8F3444432C16AB7DDEE',
            '371F6026FA2D6FC143598A9EE9E12736EABD515BAE24BB03E4C062DDC263F4A1',
            '8C3E5C10A4CC88E19B04592B864AC883D8B994EEB2C46496B3416B000C9A344A',
            '4F3CF2C30DA6DD57B7D3701CDCB9418EAE8A0470C2AD2668ECF0E3AE6B6A29F6',
            'AE3C23E30F42571DFC507171D173F928718E2A5D18C43F7A5B20E125A6421EFB',
            'EFA5034BF44B5E66EF90124EE2CFFD9AACE7C49356A64ADFFBA0D44D29B125AB',
            '8E98386ED91129B0197AE9A642C173578EFD4784D1EE087CE765A714640F9AA8',
            '67A4AD879229F1712037D522B5226B2DC7440EFCB753EC8A52C29CF1FB9BD85F',
            'A65FDA70B1261E143F9406D00D90AA0F55310652F3F908D7C1E5A841F77EBD30',
            '14FCA23CB223F8915D7730AFC7276F1C0FC7EA33A3083553D2684D964EC7E4A9',
            '205DEE6FCFEADA8B589CF48326AF2DEBF56DB42A4DFDF74BF9CB0A34BFD97B90',
            'B83E17E31FE0A48B54C94AC4175B46302D5E8B38D7CB42E618AEC9197D43B1B3',
            '6891A18CDC5CA57F20284187FE6988D860ED46076F779B088D2FA78A798A55DC',
            'C6E657E8B101A23B9F8ADE02F696D905F63C626C3E07FD06002B2030B20FAFF0',
            '2625D9B875A4B74DD421CCB5411CC309EBE7CC75BED408F9F486E6CFFF4F14AC',
            '36DFFB643C2721A3AD4CA95415D59CF3C3EE85FF75F2BC6FFD1FC09499544B72',
            '18F5937E8B73C7764DEBC840266B14F3D049AE9511AB135CC764C5C6F10C87C0',
            '87BC8D3181D7470630D4A983FE401F46C99F4A52D81E8D4146211BFA28AE52C9',
            'D0E3974AFB2D830F443136F4464DDFEFA30688BE27A8A0158A85B8040C2C0459',
            '8F2111751D296F862FFEBC2FB50D6530FE6C09D70F54664ED2F2C44365D647B3',
            'E6D5BB45707C8B18C8A248B153309605B34ED9CEF42172114F52AE47E8063131',
            'EFB2F1AD55868D648722111B00CFE2132463F9659AA1F8298ED2FBD1239071DC',
            '3ACF63661C77A5ACBB54410FF3F7CFA1701040BD2D2C8F721A37E310A8460584',
            '5E7202DB021B2346A1BB920AE80DD0066F05A0524BC80339ED9932542883473F',
            'EFCA18C1C8B8C9B0E31B7169BAC1F1B9697B2799BDB869006C16C49B77525AB7',
            '546FE3345E5F01A5E248FB966B7592D2A0DA0BED3E27F6C789647FDE73F59258',
            'FFC6A638758661126FC03D24226DA7295EBDF50C52D96631B5804D02CDF2DC89',
            'FA6063CA2D00953200BED4BF734CEDBA0C56A185C46CB60ABCDD8C611E4203B4',
            'E0F217FA14389FB1A49C03180CC616C730FA48B1B96EB17D7B3BDFD9B6A7D646',
            'A57C976DD592A3F022A15399A1C37140E1897B231918DC2F2257DD2CC33FADEF',
            '99939CE9EB676674458ED487984E9F8D2C7DF23D8093940FEAB586D0E674B6B2',
            '416125DED9C2386A247F1D87BAD1CAB640579EAE3050FFD0A8AEDF52254AA5E9',
            '186F060C97150EC26626CC8451C47569764B281667A54428E096A20A5D81EB4D']

enc0 = ""

# 爆!!!!
# sha256每组有32个字节
for m in range(40):
    f = False
    for i in range(33, 127):
        if f:
            break
        for j in range(33, 127):
            if f:
                break
            for k in range(33, 127):
                enc1 = [i, j, k]
                enc0 = chr(i) + chr(j) + chr(k)
                hash_data = hashlib.sha256(enc0.encode('utf-8')).hexdigest()
                temp = ""
                for h in range(32):
                    hex_data = enc1[h % 3] ^ int(hash_data[(2 * h): (2 * h + 2)], 16)
                    if hex_data <= 0xf:
                        temp += '0'
                    temp += hex(hex_data)[2:].upper()
                if temp == enc_list[m]:
                    f = True
                    print("\'" + enc0 + "\'", end=", ")
                    break

拼接flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# flag是上个脚本的输出
flag = ["-48", "-79","-80","-bf","0bd","177","194","29f",
    "37-","39a","4-7","48f","4a3","7-4","729",
    "772","793","80b","8a}","8fb",'937',"94a","9a4","9f8","a-8",
    "a39","a4-","ag{","b-b","bd1","bfe","d17","ea-",
    "f8a","fb-","fea","fla","g{1","lag","{19"]
input = "fla"
while True:
    for one in flag:
        if one[:2] == input[-2:]:
            input += one[-1:]
            break
    if input[-1:] == '}':
        break
print(input)
#flag{194a39a4-7937-48fb-bfea-80bd17729f8a}